> On Sep 13, 2017, at 4:10 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
> As Postfix SMTP server does not support SNI I think there is no point using
> -servername option above, so the above can be shortened to:
>
> echo |
> sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp 2>/dev/null |
> openssl x509 -noout -checkend 259200
There definitely good reason to avoid "sudo", which is unnecessary here.
As for SNI, indeed not needed if the server being tested is known to be
Postfix.
> I'm still unclear whether the test is against the certificate data that
> is held within postfix or that is held within the SASL application
> (dovecot or cyrus).
Now you betray some confusion, SASL is NOT TLS and does not exchange
certificates with the SASL client. The application protocol that
supports SASL may run over TLS, in which case the server and sometimes
also the client might present X.509 certificates, but SASL could not
possibly do that absent a "TLS" mechanism for SASL that would use
client certificates for authentication and then TLS as the SASL
"security layer". AFAIK no such mechanism exists, and Postfix has no
support for SASL "security layers" in any case.
--
Viktor.
